INSIGHTS, NEWS & DISCOVERIESFROM IOACTIVE RESEARCHERS

Tuesday, January 22, 2013

You cannot trust social media to keep your private data safe: Story of a Twitter vulnerability

I‘m always worried about the private information I have
online. Maybe this is because I have been hacking for a long time, and I know
everything can be hacked. This makes me a bit paranoid. I have never trusted
web sites to keep my private information safe, and nowadays it is impossible to
not have private information published on the web, such as a social media web
site. Sooner or later you could get hacked, this is a fact.

Currently, many web and mobile applications give users the option to sign
in using their Twitter or Facebook account. Keeping in mind the fact that Twitter
currently has 200 million active monthly users (http://en.wikipedia.org/wiki/Twitter),
it makes a lot of sense for third-party applications to offer users an easy way
to log in. Also, since applications can obtain a wealth of information from
your Twitter or Facebook account, most of the time you do not even need to
register. This is convenient, and it saves time signing into third-party
applications using Twitter or Facebook.

Every time I’m asked to sign in using Twitter or Facebook,
my first thought is, “No way!” I don’t
want to give access to my Twitter and Facebook accounts regardless of whether I
have important information there or not. I always have an uneasy feeling about giving
a third-party application access to my accounts due to the security
implications.

Last week I had a very interesting experience. I was testing
a web application that is under development. This application had an option to
allow me to sign into Twitter. If I selected this option, the application would
have access to my Twitter public feed (such as reading Tweets from my timeline
and seeing who I follow). In addition, the application would have been able to
access Twitter functionality on my behalf (such as following new people,
updating my profile, posting Tweets for me). However, it wouldn’t have access
to my private Twitter information (such as direct messages and more importantly
my password). I knew this to be true because of the following information that
is displayed on Twitter’s web page for “Signing in with Twitter”:

Image 1

After viewing the displayed web page, I trusted that Twitter
would not give the application access to my password and direct messages. I
felt that my account was safe, so I signed in and played with the application.
I saw that the application had the functionality to access and display Twitter
direct messages. The functionality, however, did not work, since Twitter did
not allow the application to access these messages. In order to gain access,
the application would have to request proper authorization through the
following Twitter web page:

Image2

The web page displayed above is similar to the previous web
page (Image 1). However, it also says the application will be able to access
your direct messages. Also, the blue button is different. It says “Authorize
app” instead of “Sign in”. While playing with the application, I never saw this
web page (image 2). I continued playing with the application for some time,
viewing the functionality, logging in and out from the application and Twitter,
and so on. After logging in to the application, I suddenly saw something
strange. The application was displaying all of my Twitter direct messages. This
was a huge and scary surprise. I wondered how this was possible. How had the
application bypassed Twitter’s security restrictions? I needed to know the
answer.

My surprise didn’t end here. I went to https://twitter.com/settings/applications
to check the application settings. The page said “Permissions: read, write, and
direct messages”. I couldn’t understand how this was possible, since I had
never authorized the application to access my “private” direct messages. I
realized that this was a huge security hole.

I started to investigate how this could have happened. After
some testing, I found that the application obtained access to my private direct
messages when I signed in with Twitter for a second or third time. The first
time I signed in with Twitter on the application, it only received read and
write access permissions. This gave the application access to what Twitter displays
on its “Sign in with Twitter” web page (see image 1). Later, however, when I
signed in again with Twitter without being already logged in to Twitter (not having an
active Twitter session – you have to enter your Twitter username and password),
the application obtained access to my private direct messages. It did so
without having authorization, and Twitter did not display any messages about
this. It was a simple bypass trick for third-party applications to obtain
access to a user’s Twitter direct messages.

In order for a third-party application to obtain access to
Twitter direct messages, it first has to be registered and have its direct
message access level configured here: https://dev.twitter.com/apps.
This was the case for the application I was testing. In addition and more importantly, the
application has to obtain authorization on the Twitter web page (see Image 2)
to access direct messages. In my case, it never got this. I never authorized
the application, and I did not encounter a web page requesting my authorization
to give the application access to my private direct messages.

I tried to quickly determine the root cause, although I had
little time. However, I could not determine this. I therefore decided to report
the vulnerability to Twitter and let them do a deeper investigation. The
Twitter security team quickly answered and took care of the issue, fixing it
within 24 hours. This was impressive. Their team was very fast and responsive.
They said the issue occurred due to complex code and incorrect assumptions and
validations.

While I think the Twitter security team is great, I do not think
the same of the Twitter vulnerability disclosure policy. The vulnerability was
fixed on January 17, 2013, but Twitter has not issued any alerts/advisories notifying
users.

There should be millions
of Twitter users (remember Twitter has 200 million active users) that have
signed in with Twitter into third-party applications. Some of these applications
might have gained access to and might still have access to Twitter users private
direct messages (after the security fix the application I tested still had access to direct messages until I revoked it).

Since Twitter, has not alerted its users of this issue, I
think we all need to spread the word. Please share the following with everyone
you know:

Who told you this crap? Privacy is perfectly possible online. By careful combination of awareness, cryptography, use of proxy servers or darknets, and [psued/an]onimity, you can be as private or as public as you want.